This is a quick up-and-running guide and lab for using Userpass auth method with DUO MFA method to provide multi factor authenticated access vault.
Note: This is a different than this guide that enables Duo MFA on accessing a certain path or KV Secret.
The Below test was done using Vault 1.11.2+ent, Vault 1.17.6+ent and Vault 1.18.1+ent.
The following resources are useful to familiarize yourself with while using this guide:
Prerequisites
You need to have a Duo account with an application, a user, and a 2fa device.
Note: You might see different naming for values in Duo, here is how they will be used configuring Vault:
| Duo | Vault |
|---|---|
| Client ID | Integration key |
| Client secret | Secret Key |
| API hostname | API hostname |
Userpass Auth Method
Enable the Userpass method and add the user, example :vaultron
$ vault auth enable userpass Success! Enabled userpass auth method at: userpass/ $ vault write auth/userpass/users/vaultron password=foo Success! Data written to: auth/userpass/users/vaultron |
Configure Vault Identity endpoint
Configure Vault identity/mfa/method/duo endpoint. Get the values of integration_key (Client ID), secret_key (Client secret) and api_hostname from Duo. For more information:
$ vault write identity/mfa/method/duo integration_key=<i_key> secret_key=<s_key> api_hostname=<api_hostname> username_format="" use_passcode=true Key Value --- ----- method_id 25998a00-b3b9-ebb4-c0f5-212fc8498a2 |
This will output a method_id that we are going to use later. Make a note of it.
If you would like to read the information written on your endpoint
$ vault read identity/mfa/method/duo/25998a00-b3b9-ebb4-c0f5-212fc8498a2 Key Value --- ----- api_hostname api-VALUE.duosecurity.com id ID mount_accessor n/a name n/a namespace_id root pushinfo n/a type duo use_passcode true username_format n/a
|
Note: we are enabling passcode in this example, if you just want the push notification without passcode, then ignore the use_passcode flag in the command above, since the default is false, or you can set the value to false.
Auth Accessor
Get the Userpass auth method Accessor value:
$ vault auth list Path Type Accessor Description ---- ---- -------- ----------- token/ token auth_token_77ac3ec7 token based credentials userpass/ userpass auth_userpass_fc37ca35 n/a |
Configure the login enforcement
$ vault write identity/mfa/login-enforcement/duo mfa_method_ids=<duo_method_id> auth_method_accessors=$USERPASS_ACCESSOR |
Examples:
mfa_method_ids=25998a00-b3b9-ebb4-c0f5-212fc8498a2
auth_method_accessors=auth_userpass_fc37ca35
Authenticate to Vault
using the CLI
$ vault login -method=userpass username=vaultron Password (will be hidden): Enter the passphrase for methodID "<id>" of type "duo": <-- enter one time code from duo app as "12345" |
Note: the CLI will show you an error message asking you to enroll in Duo if the user hasn't before, and will output a URL that you need to paste to a browser to enroll with Duo.
If you are using the UI, you will not be able to see that URL, this will be introduced in a future release.